STORE 'file' scheme loader: fix try_decode_params() to check ambiguity

The way try_decode_params works in raw more, it would take the first ASN1 that could decode and return a STORE_INFO with the resulting EVP_PKEY. This change has it go through all the matching ASN1 methods and properly check if there's more than one match, i.e. an ambiguity. Reviewed-by: Ben Kaduk <kaduk@mit.edu> (Merged from https://github.com/openssl/openssl/pull/3863)
author: Richard Levitte <levitte@openssl.org> 2017-07-05 20:54:08 +0200
committer: Richard Levitte <levitte@openssl.org> 2017-07-05 22:38:00 +0200
commit: 11d66064f36e6968faffb48a2cfd58cbe37eff0c (patch)
tree: 421b6a01de0ec2732dab94cc13fe1d20f30970b0 /crypto/store
parent: c8feba723a33e15201009d716d9ead02e653dfe6 (diff)
1 files changed, 26 insertions, 10 deletions
diff --git a/crypto/store/loader_file.c b/crypto/store/loader_file.c
index ebcad03ead..5b0ca97756 100644
--- a/crypto/store/loader_file.c
+++ b/crypto/store/loader_file.c
@@ -480,12 +480,13 @@ static OSSL_STORE_INFO *try_decode_params(const char *pem_name,
         *matchcount = 1;
     }
 
-    if ((pkey = EVP_PKEY_new()) == NULL) {
-        OSSL_STOREerr(OSSL_STORE_F_TRY_DECODE_PARAMS, ERR_R_EVP_LIB);
-        return NULL;
-    }
-
     if (slen > 0) {
+        if ((pkey = EVP_PKEY_new()) == NULL) {
+            OSSL_STOREerr(OSSL_STORE_F_TRY_DECODE_PARAMS, ERR_R_EVP_LIB);
+            return NULL;
+        }
+
+
         if (EVP_PKEY_set_type_str(pkey, pem_name, slen)
             && (ameth = EVP_PKEY_get0_asn1(pkey)) != NULL
             && ameth->param_decode != NULL
@@ -493,22 +494,37 @@ static OSSL_STORE_INFO *try_decode_params(const char *pem_name,
             ok = 1;
     } else {
         int i;
+        EVP_PKEY *tmp_pkey = NULL;
 
         for (i = 0; i < EVP_PKEY_asn1_get_count(); i++) {
             const unsigned char *tmp_blob = blob;
 
+            if (tmp_pkey == NULL && (tmp_pkey = EVP_PKEY_new()) == NULL) {
+                OSSL_STOREerr(OSSL_STORE_F_TRY_DECODE_PARAMS, ERR_R_EVP_LIB);
+                break;
+            }
+
             ameth = EVP_PKEY_asn1_get0(i);
             if (ameth->pkey_flags & ASN1_PKEY_ALIAS)
                 continue;
-            if (EVP_PKEY_set_type(pkey, ameth->pkey_id)
-                && (ameth = EVP_PKEY_get0_asn1(pkey)) != NULL
+
+            if (EVP_PKEY_set_type(tmp_pkey, ameth->pkey_id)
+                && (ameth = EVP_PKEY_get0_asn1(tmp_pkey)) != NULL
                 && ameth->param_decode != NULL
-                && ameth->param_decode(pkey, &tmp_blob, len)) {
+                && ameth->param_decode(tmp_pkey, &tmp_blob, len)) {
+                if (pkey != NULL)
+                    EVP_PKEY_free(tmp_pkey);
+                else
+                    pkey = tmp_pkey;
+                tmp_pkey = NULL;
                 (*matchcount)++;
-                ok = 1;
-                break;
             }
         }
+
+        EVP_PKEY_free(tmp_pkey);
+        if (*matchcount == 1) {
+            ok = 1;
+        }
     }
 
     if (ok)
author	Richard Levitte <levitte@openssl.org>	2017-07-05 20:54:08 +0200
committer	Richard Levitte <levitte@openssl.org>	2017-07-05 22:38:00 +0200
commit	11d66064f36e6968faffb48a2cfd58cbe37eff0c (patch)
tree	421b6a01de0ec2732dab94cc13fe1d20f30970b0 /crypto/store
parent	c8feba723a33e15201009d716d9ead02e653dfe6 (diff)